If there’s one lesson to be learned from the way authentication company Okta approaches international security training, it's that bad actors are everywhere.

Phishing emails, password sprays, man-in-the middle attacks — no matter what country the hacker is in, a threat is still a threat. “If you don't have a strong password that's coupled with a multifactor authentication and...policies in the background to protect the account,” Okta CSO Yassir Abousselham says, “then there's increased risk to that account and really that’s location agnostic.”

The way global employees learn about security best practices often is not location agnostic, however. Country can impact which information they should receive and how they receive it. Awareness efforts might need to be in a different language. In the end, there is no single rule: How security teams approach international awareness truly depends on an individual business’s needs.

According to Nicole Eagan, CEO of software company Darktrace, only two out of every ten cybersecurity experts typically embrace artificial intelligence (AI) as a key component of threat detection. The others, she explains, tend to be "totally resistant" or agree to "give [AI] a try" but don’t put in the effort required to make the most of the tech post-purchase.

Granted, information security professionals are known to be risk-averse, which has the flip side of sometimes making them resistant to try out new tech — and for good reason: Protecting the company against risk is the number one job. Yet, theoretically, AI has the potential to more quickly identify a larger number of problems. So why doesn’t every security team use it?

]]>https://www.csoonline.com/article/3332690/why-ai-based-threat-detection-hasnt-taken-over-the-market-yet.html
Why SMS banking is still a bad ideaTue, 21 Aug 2018 03:00:00 -0700Terena BellTerena BellBank with Capital One and you can have account information sent to you by text. In March 2017, the bank started piloting Eno, an SMS-based chatbot customers use to check balances, view transactions, and process similar requests. Users love it, spokesperson Shelley Solheim says, sharing that 95 percent recommend the bot and that since launch, "Eno [has] exchanged hundreds of thousands of texts.”

On August 1, Facebook’s chief security officer (CSO), Alex Stamos, posted that he’s leaving on August 17. “We are not naming a new CSO,” says an unnamed Facebook spokesperson. Instead, the spokesperson continues, “We embedded our security engineers, analysts, investigators and other specialists in our product and engineering teams.” In other words, in less than two weeks, no central point person will own security. “The senior leaders of those teams will be responsible for keeping Facebook and people's information secure,” he explains.

]]>https://www.csoonline.com/article/3295867/does-facebook-even-need-a-cso.html
The chatbot revolution will (not) be secureThu, 26 Jul 2018 03:00:00 -0700Terena BellTerena BellVerizon Vice President of Digital Ashok Kumar believes chatbots will soon replace websites as the user interface (UI) of choice. He’s likely right: According to a 2017 Grand View Research report, roughly 45 percent of consumers already prefer to address customer service concerns by bot and Oracle claims that by 2020, 80 percent of sales and marketing departments will be using bots.

]]>(Insider Story)https://www.csoonline.com/article/3291321/the-chatbot-revolution-will-not-be-secure.html
IDG Insider5 tips to thwart medical device attacksThu, 31 May 2018 03:00:00 -0700Terena BellTerena BellFrom Trojan.Kwampirs to KRACK, the last year has seen no shortage of reminders that medical devices are subject to attack. On April 23, software provider Symantec reported that it had analyzed Kwampirs backdoor hacks from cybercriminal group Orangeworm: 39 percent were on healthcare equipment like x-ray machines, MRIs, and systems used to complete patient consent forms. KRACK, on the other hand, didn’t attack devices. Rather, it compromised Wi-Fi Protected Access II (WPA2) — the connection between devices.

Simply put, cyber resilience is a measure of how well an organization can operate its business during a data breach or cyber attack. Security teams have measures in place to detect and stop attacks, and they have recovery plans for the inevitable breach, but can they, along with IT, keep critical business processes such as order fulfillment, customer service, or accounting operating during a crisis?

If you want coworkers to support security, the first thing Nick Hilderman suggests is a positive attitude. “Security is often focusing on the negative aspects of things — on what could happen, the fear, uncertainty and doubt,” he says. Hilderman is senior security analyst at Finning International, a Canada-based distributor of Caterpillar equipment that is two years into an infosec advertising campaign. This campaign doesn’t market to customers. It’s an internal push to help Finning’s non-tech employees understand how important cybersecurity is.

Want to reduce your release cycle from 203 to 100 days — and make it more secure? Fannie Mae did. Vice-president of development services Michael Garcia credits lean, a quality improvement philosophy focused on maximizing customer value while minimizing waste. It’s a tactic typically associated with manufacturers. Fannie Mae doesn’t make widgets, and to benefit, you don’t have to either. The lean mentality can apply to anything.

It was one of the 17 biggest data breaches of the 21st century: October 2013, hackers stole login information and nearly 3 million credit card numbers from 38 million Adobe users. The company is still dealing with the cleanup, and the recent announcement of a new Experience Cloud feature makes security even more important than before.

It’s been a busy week for breaches. On Monday, Krebs on Security revealed that over an eight-month period, Panera Bread ignored the leak of more than 37 million customers’ data. Then Wednesday night, news broke of a September breach at customer interface provider [24]7.ai. Its full extent is still unknown, but as of this writing, [24]7 customer Delta Airlines says “several hundred thousand customers” may have been exposed, and fellow client Sears Holdings says under 100,000 customer credit card numbers were accessed.

]]>https://www.csoonline.com/article/3268111/5-myths-of-api-security.html
Third-party security vetting: Do it before you sign a contractMon, 12 Mar 2018 03:00:00 -0700Terena BellTerena BellIf you’re talking about stopping security risks from an outside vendor already on-board, Jerry Archer says, “You've already failed.” Chief security officer for Sallie Mae, Archer contends that risk mitigation should begin before your company closes the deal. That’s why his team has a go or no-go vote for any vendor Sallie Mae brings on. That’s not restricted to vendors IT typically oversees, like authentication tech or API gateway services. Not a single tool is onboarded by any department without security’s approval.

The end of net neutrality might mean third-party browser tracking, the deprivatization of online transactions, spyware on your phone, and more. At least that’s what Dr. Kenneth Williams claims.

Williams is director of the American Public University System (APUS) Center for Cyber Defense. When asked how net neutrality’s end could cause all this doom and gloom, the explanation requires a few steps: “When net neutrality ends, [antimalware software] providers are now at a higher cost to service providers,” he begins. This, in turn, could raise the cost of internet access for users who want to maintain the data safeguards their internet service provider (ISP) used before.